平台
python
组件
pyload-ng
修复版本
0.5.1
0.5.1
CVE-2026-35464 是 pyload-ng 下载管理器中发现的一个任意文件访问漏洞。该漏洞允许具有适当权限的用户将下载重定向到 Flask 文件系统会话存储,并利用恶意的 pickle 负载触发任意代码执行。受影响的版本包括 pyload-ng ≤0.5.0b3。该漏洞已在 0.5.0b3.dev96 版本中修复。
The core of this vulnerability lies in the insufficient restriction of the storagefolder option within pyload-ng's configuration. While a previous fix (CVE-2026-33509) aimed to restrict admin-only options, the storagefolder was inadvertently omitted. An attacker with SETTINGS and ADD permissions can leverage this oversight to redirect downloads to the Flask filesystem session store. By planting a malicious pickle payload as a predictable session file, they can trigger arbitrary code execution upon any subsequent HTTP request containing the corresponding session cookie. This represents a significant escalation of privilege, potentially granting an attacker complete control over the system running pyload-ng.
This vulnerability was publicly disclosed on 2026-04-04. There is currently no indication of active exploitation campaigns targeting CVE-2026-35464. Public proof-of-concept (POC) code is not yet available, but the vulnerability's nature suggests it could be relatively straightforward to exploit once a POC is developed. The vulnerability has not been added to the CISA KEV catalog as of this writing.
Organizations and individuals utilizing pyload-ng for download management, particularly those with multiple users and less stringent access controls, are at risk. Shared hosting environments where multiple users share the same pyload-ng instance are especially vulnerable, as an attacker could potentially compromise the entire environment through a single user account.
• python / server:
import os
import pickle
# Check for unusual files in the Flask session directory
session_dir = '/path/to/your/pyload-ng/flask_session'
for filename in os.listdir(session_dir):
if filename.endswith('.pkl'):
print(f"Suspicious pickle file found: {session_dir}/{filename}")• python / server:
# Monitor for unusual processes accessing the Flask session directory
ps aux | grep 'pickle' | grep '/path/to/your/pyload-ng/flask_session'disclosure
漏洞利用状态
EPSS
0.09% (26% 百分位)
CISA SSVC
The primary mitigation for CVE-2026-35464 is to immediately upgrade pyload-ng to version 0.5.0b3.dev96 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing stricter access controls to limit the users who possess SETTINGS and ADD permissions. While not a complete solution, carefully reviewing and restricting user privileges can reduce the attack surface. Monitor the Flask session directory for unexpected files or modifications. There are no specific WAF rules or Sigma/YARA patterns readily available for this specific vulnerability, but general pickle deserialization detection rules may provide some level of protection.
Actualice pyLoad a la versión 0.5.0b3.dev96 o superior para mitigar la vulnerabilidad. La actualización corrige la falta de protección en la opción 'storage_folder', previniendo la ejecución arbitraria de código a través de la tienda de sesiones de Flask.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-35464 是 pyload-ng 下载管理器中的一个任意文件访问漏洞,允许攻击者通过操纵下载目标执行任意代码,利用 Flask 会话存储中的 Pickle 序列化漏洞。
如果您正在使用 pyload-ng 版本小于或等于 0.5.0b3,则您的系统可能受到此漏洞的影响。请尽快升级到 0.5.0b3.dev96 或更高版本。
已在 0.5.0b3.dev96 版本中修复此漏洞。请升级到此版本或更高版本以解决此问题。
CVSS 向量
上传你的 requirements.txt 文件,立即知道是否受影响。